Associated Press
reports
that the personal information of all licensed medical doctors in
Puerto Rico was acquired in a recent hack. They report that since
the hack, doctors have been getting harassing emails, but it’s not
clear from their reporting as to what information was accessed or
acquired in the intrusion, other than the statement from Puerto
Rico’s Association of Surgeons [I think AP
meant College of Physicians and Surgeons - Dissent] that whoever
stole the information can engage in identity theft and submit fake
prescriptions.

The AP also did not
report how many physicians had data in the database, but another AP
report in April 2013 noted that the number of doctors in Puerto
Rico had dropped from 11,397 to 9,950, according to the island’s
Medical Licensing and Studies Board. I cannot find any website for
the College of Physicians and Surgeons for Puerto Rico.

If anyone has
additional information on this breach, please let me know.

Updated:
With the clarity that extra caffeine brings, it dawned on me this
morning that even if there are less than 10,000 physicians currently,
we don’t know how far back their database goes, and there might be
many more individuals whose data were in there.

A caution for
academics, but a warning for owners/stewards/guardians/custodians of
data – you must set security rules and ensure they are followed.
(Why give up the data at all when you could run the analysis in-house
and only disclose the summarized results?)

A
University of Minnesota law professor has apologized
to violent crime victims and witnesses after a computer with
sensitive information of nearly 300 people was stolen from his
office, but he said Friday that there’s no indication the thief has
accessed the data.

Criminologist
Barry Feld, a prominent juvenile justice scholar, was collecting data
from closed case records for a study on law enforcement interrogation
techniques when the laptop, a scanner and external hard drive were
taken last February. His research, which required
his team to sign confidentiality agreements before obtaining the
data, has since been terminated.

Read more on Pioneer
Press. Maura Lerner of the Star Tribune, who broke the
story yesterday, noted
the sensitivity and background of the individuals whose data were
on the stolen devices:

All
had been witnesses or victims in cases that were prosecuted in early
2005 in Hennepin and Ramsey County courts.

One
victim, who had been raped as an 11-year-old, received Feld’s
letter last week. Her mother told the Star Tribune that she was
shocked by the data theft, and that she had no idea that her
daughter’s information had been shared with a researcher. “I was
aghast,” she said. It was particularly galling, she said, because
the family had been unable to get some of that same information, such
as witness testimony, when they requested it.

Feld admitted that the
data were not properly secured:

“I
did not properly protect the data,” Feld told The Associated Press
in a phone interview Friday. The incident was first reported by the
Minneapolis Star Tribune.

A
police report said the equipment wasn’t locked and was stolen from
under a desk in the office Feld shares with several research
assistants. University police made no arrests in the case nor have
they had any leads, according to a school spokesman.

Not only were the data
not properly secured, it would appear that there was no backup or
master index, as it took from last February until now for them to
reconstruct a list of who needed to be notified.

All in all, this sounds
like a total failure. I would love to see the contract or agreement
the professor signed with the county to gain access to the research
materials. Did the agreement require him to not just maintain
confidentiality but to actually deploy reasonable and commercially
available security protocols? If not, why not? Perhaps some
enterprising reporter in Minnesota might want to investigate whether
the state and county are requiring adequate security for access to
personal and sensitive information.

“Now we can say we've
done something. We made a speech!” Looking at the President's
speech on “NSA reforms” I see that nothing specific has been
proposed. (What a surprise) On the other hand, perhaps that is the
correct response to all the kerfuffle. Vague words and phrases like:

… we will review

… we will reform

… a panel of
advocates from outside government to provide an independent voice in
significant cases [Definition of “significant” to follow Bob]

… I’m asking the
attorney general and DNI to institute reforms

… amend how we use
national security letters

… ordering a
transition

… we will only
pursue phone calls that are two steps removed from a number
associated with a terrorist organization, instead of the current
three [Sounds good, unless you think everyone on the calling tree
is part of the organization? Bob]

Yes, let’s just
declassify dump two dozen FISC orders right before a holiday weekend
(sigh). From IC on the Record:

The
documents being released today comprise orders from the FISC
approving the National Security Agency’s (NSA) collection and use
of telephony metadata under Section 501. These orders provide
additional information regarding the controls imposed by the FISC on
the processing, dissemination, security and oversight of telephony
metadata acquired under Section 501. This includes the Court’s
imposition of additional controls in response to compliance incidents
that were discovered by NSA and then reported to the FISC. These
orders are available at the website of the Office of the Director of
National Intelligence (http://www.dni.gov),
and ODNI’s public website dedicated to fostering greater public
visibility into the intelligence activities of the Government
(IcontheRecord.tumblr.com).

Do you see why I
recommend breach victims, even big ones with huge legal departments,
call in some Professional Help? This was not good customer service
even before the breach. Where were the managers?

How comfortable would
you feel giving Target
all your sensitive information right now?

Michael Baxter of
Somerville has an answer: “I have no confidence in their security
there.”

Baxter and his wife got
a call Wednesday.

“They identified
themselves as the Target fraud detection department, and there
was a suspicious transaction of over $1,200,” Baxter told WBZ-TV.
[Is this an indication that the stolen cards are being used already?
Bob]

They called the number
on their statement and confirmed it was true. They are among as many
as 110 million customers affected by Target’s pre-holiday credit
card breach.

But what happened next
made Baxter feel like a victim all over again.

Target sent him a
questionnaire to fill out and return to process his claim.

… When he refused,
the customer service representative told him they could not process
his claim without it.

“I wasn’t getting
anywhere, so I asked for a manager. That took four or five minutes.
The supervisor came on the line and she was even more aggressive with
it.”

When we contacted
Target, the company changed its tune.

“Our policy is to
investigate all fraud claims even if the form is not filled out,”
said spokesperson Molly Snyder. “And filling out the form is not a
requirement. However, if we don’t have the form filled out it
makes our investigation more difficult.”

A cybercrime firm says it has uncovered at least
six ongoing attacks at U.S. merchants whose credit card processing
systems are infected with the same type of malicious software used to
steal data from Target Corp.

… He said payment
card data was stolen in the attacks, though he didn't know how much.

… Komarov, an
expert on cybercrime who has helped law enforcement investigate
previous attacks, told Reuters on Friday that retailers in California
and New York were among those compromised by BlackPOS. Reuters was
unable to confirm the retailers' names. [If they are ONLY in New
York or ONLY in California, they can't be very large. Bob]

… has proposed that
his town adopt an ordinance that would allow residents to take up to
three shots at drones flying over the town at fewer than 1,000 feet
(more if your life is in danger). The measure, which has divided the
town of 550, will be voted on at the ballot box in April. Until
then, Steel is selling his own licenses, for $25
each, [Wish I had thought of it! Bob]
to anyone who wants, though they "have no legal value,"
Matt
Pearce reports in the Los Angeles Times.

Eriq Gardner reports
that Hulk Hogan has lost a round in his litigation over Gawker
publishing excerpts from a private sex tape they acquired. Hogan
failed
to get a federal court to grant an injunction prohibiting its
publication, but then found a state judge who granted his motion for
an injunction. Today, a Florida appeals court overturned
the injunction, explaining that given Hogan’s
own public comments about his affair, that this was a
matter of public concern and protected by the First Amendment.

If the court
decides they do need a warrant, will that apply to teachers as well?
(See yesterday's blog) How about border guards?

– is your personal
web crawler. It can crawl into any website and find what you really
want (video clips, images, music files, etc). FoxySpider displays
the located items in a well-structured thumbnail gallery for ease of
use. Once the thumbnail gallery is created you can view, download or
share (on Facebook and Twitter) every file that was fetched by
FoxySpider.

– is a Twitter
Analytics tool. It gives you stats such as who mentions you and how
many times, & number of retweets. You can also analyze another
Twitter user’s profile and obtain the same information. What’s
even better is that you can search for keywords on Twitter, with who
mentioned those words and how they fit into popular hashtags.

For my programming
students. (Useful for learning a new language, convert a program you
wrote in an old language.)

– is an online
web-based cross-platform source code converter that supports codes
such as C#, Visual Basic .Net, Java, Ruby, Iron Python, and Boo. The
free plan will allow you 8 conversions daily, and 2,048 characters
per conversion. To remove all restrictions, just share Varycode on
Facebook or Twitter.

When you need to
research something, where do you start? Most of us answer this
question with “Google“,
and “Wikipedia“.
But if you’re researching online with Google and Wikipedia as your
main tools, you’re only hitting the tip of the iceberg. While
these offer some great basic information on a huge variety of
subjects, if you want to delve deeper, you need a wider variety of
sources to choose from.

The handy
infographic below takes a look at different methods of online
research, and gives a flowchart flush with a number of different web
search options for you to try out.

… Congress
has passed the 2014 "omnibus appropriations legislation."
Among other things, a win for open access to
publicly-funded research: it
requires that “federal agencies with research budgets of at
least $100 million per year will be required provide the public with
free online access to scholarly articles generated with federal
funds.” The bill also removes
restrictions that prevented the NSF
from funding political science. There’s more
money for the NIH
and more money for the Pell
Grant.

… Senator Patty
Murray (D-WA) and Representative Jared Polis (D-CO)
have introduced
the Investing in States To Achieve Tuition Equity (IN-STATE) Act of
2014, which provides incentives for states to offer in-state tuition
and need-based aid for undocumented students.
[Could my nephew claim to be undocumented (who wants
to admit they are from New Jersey) and get in state tuition? Bob]

… Early this week,
The
LA Times reported that the Los
Angeles School District was surveying how much other
districts had paid for their technology. Because, ya know, I guess
they didn’t think to do any due diligence before agreeing to the
outrageous $768 per iPad
price-tag.

… Whatever the
investigation into pricing, it didn’t stop the school board from
earmarking
$115 million to buy more iPads
to make sure everyone has one in time for “standardized testing
scheduled for this spring.” Priorities.

… You can now
rent
textbooks at Staples (or via Staples.com at
least).

… The US
News & World Report has released its
rankings of the Best Online Programs.

… The Berkman
Center for Internet and Society have released a number of reports on
student privacy, including
this one that talks with youth about their thoughts on tech usage
at school. Spoiler alert: they know how to bypass your web filters.

Friday, January 17, 2014

I'm not sure how you
would program the site to do this. Random Number generator, I guess.
Should be as simple as backing out the last “Update” but I
suspect it will be more complicated. The website is still down.

Navy
veteran Sylvester Woodland said he couldn’t believe what he was
seeing Wednesday night when he logged onto the Veteran
Affairs’ E-Benefits website.

“It
gave me a different person’s name, each and every time I came
back,” Woodland said. At first I thought it was just a glitch,
but the more I thought about it, I said, wait a minute, this is more
than a glitch, this is a breach.”

Woodland
was on the VA’s E-Benefits website trying to track down his own
history for a bank loan. Instead, windows kept popping up displaying
other veterans’ medical and financial information.

“When
you click on these hyperlinks here, it takes you to the bank account,
the direct deposit, bank account, last four, what bank is it for,”
Woodland said. “I’ll bet he has no idea that I’m sitting here
in my house with his information.”

KAPTOXA
POS Report Overview – “iSIGHT Partners, working with the U.S.
Secret Service, has determined that a new piece of malicious
software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large
number of retail information systems. This software can find, store,
and then transmit sensitive information such as credit card and PIN
numbers. These findings are part of a need-to-know joint report
released today by the Department of Homeland Security, USSS, FS-ISAC
and iSIGHT Partners. The use of malware to compromise payment
information storage systems is not new. However, it is the first
time we have seen this attack at this scale and sophistication.
Importantly, this software contains a new kind of attack method
that is able to covertly subvert network controls and common forensic
tactics, concealing all data transfers and executions that may have
been run, rendering it harder to detect. Many retail
organizations may not know that they have been infected, or that they
have already lost data.”

B.C.’s
Information and Privacy Commissioner Elizabeth Denham invites public
submissions on her investigation into the use of police information
checks. Interested citizens or groups are welcome to answer the
questions the Commissioner has posed in this consultation letter. In
addition, or alternatively, the public can provide our Office
whatever views they may have on the subject including any particular
experiences they have had with police information checks. We would
appreciate receiving these responses by email to info@oipc.bc.ca no
later than February 21, 2014.

There is an increasing
trend towards the use of police information checks as a screening
tool for employers to assist in determining the suitability of a
prospective employee or volunteer. While these individuals consent
to the conduct of the check before it takes place, it is unlikely
that an individual who refuses a check will still be considered for
an employment or volunteer position.

Yesterday’s story
about the point-of-sale malware used in the Target attack has
prompted a flood of analysis and reporting from antivirus and
security vendors about related malware. Buried within those reports
are some interesting details that speak to possible actors involved
and to the timing and discovery of this breach.

Yes, I can reach your
appliances, but I can't use them to empty your bank account. Or can
I?

It's
apparently the first recorded large-scale Internet of Things hack.
Proofpoint found that the compromised gadgets—which included
everything from routers and smart televisions to at least one smart
refrigerator—sent more than 750,000 malicious emails to targets
between December 26, 2013 and January 6, 2014.

… Pinging one
device brought up a login screen that said: Welcome To Your
Fridge. She typed in a default password—something like
“admin” or "adminadmin," Knight said—and suddenly had
access to the heart of someone's kitchen.

… “Embedded
operating systems deployed in firmware tend to be old, not patched
very frequently, and there are known vulnerabilities to virtually all
of them,” Knight said.

Fire up the Gulfstream,
I'm heading to Brussels! Oh, wait. I don't have a private jet.
Darn! Anyone want to make a large donation to my Blog? NOTE: I get
in free, so all I need is the jet.

You
are kindly invited to the seventh edition of the ‘Computers,
Privacy & Data Protection’ (CPDP) conference, to be held on
22-24 January 2014 in Brussels, Belgium. The conference will include
panels covering all current debates in the field: the data protection
reform in the European Union, PRISM, big data, privacy by design,
cloud computing, biometrics, and e-health and will have special
sessions on impact assessments, Roma empowerment in the digital era
and other topics. Over 60 panels are scheduled.

Members of the press
with an official press card can register free of charge as "press
on invitation"

What if that file of
random looking characters is a file of
random looking characters? How does one prove that gibberish is not
encrypted evidence? (Because apparently the police need not prove it
isn't)

Police had issued
Hussain with the notice under section
49 of RIPA to force him to let the cops into his USB stick.

The judge said
Hussain's deliberate refusal to comply with a police notice and hand
over his password was a very serious matter because
it served to frustrate a police investigation, the BBC
reports.

Imagine deleting (or
forcing the deletion) of video showing teachers breaking the law.
Really bad idea. Wouldn't the Best Practice be to hold the phone
until Mom or Dad can see what the school wants to delete? Or is the
school saying, “We don't need no stinking parents?”

It’s
been almost two months since controversy erupted at Hillsboro’s
R.A. Brown Middle School over staff
reviewing and deleting video on students’ cell phones. In its
first work session since the holiday break, the Hillsboro School
Board reacted Tuesday evening by examining its search and seizure
policies.

[...]

Hungerford
said the relevant court cases have given conflicting rulings about
how broad searches can be, but school officials must have “reasonable
suspicion” that a student violated school rules in order to search
him, and the search must be “reasonable in scope.” For instance,
if a student is reasonably suspected of stealing a football,
Hungerford said, a teacher cannot make him empty his pockets.

He
said he doesn’t think it’s a good idea for school officials to
ever delete material off of a student’s phone. Hungerford also
recommended that in a sensitive situation – he gave the example of
students texting each other photos of an exam – teachers or
administrators should direct students to delete the photos
themselves, and then discipline them for insubordination if they
don’t comply.

Police investigating
vandalism allegations against Justin Bieber are searching his cell
phone for clues after seizing the mobile during a raid of his
California home on Tuesday (14Jan14).

Cops descended on the
Baby hitmaker's Calabasas mansion after a neighbour complained to
authorities last week (09Jan14), when the singer was reportedly
discovered hurling eggs at his front door.

Detectives took
Bieber's iPhone away as evidence during the search, and tech experts
at the Los Angeles County Sheriff's Office are currently scanning the
device for any potentially incriminating photos, text messages or
other material.

… Officers are also
studying surveillance footage taken from Bieber's pad, which was
equipped with a "well operated" security system.

Justin
Bieber is worried about what cops are going to find
on his cell phone, but we're told his issues involve nakedness and
drugs ... not so much eggs.

Law enforcement sources
tell us ... when they searched
Justin's house Tuesday, they
seized his cell phone ... took it right out of his hot little hands.
Sources say cops are interested in texts that could incriminate him.
Cops want to see if he texted someone after the fact and bragged
about the egging. One law enforcement source called it a "text
high 5."

Sources tell us ...
he's concerned more about drug discussions and references. Even if
cops find drug references, Justin's in the clear given there's no
physical evidence -- nonetheless J.B. is afraid it will leak out.

We're told he's also
concerned that there are naked photos in his phone, although we don't
know if they're action shots, selfies, etc.

And we're not even
going to mention bad grammar.

Will this force the
addition of a “working” light? Perhaps a little flag?

Southern
California resident Cecilia Abadie appeared in
San Diego traffic court on Thursday for speeding and for wearing
Google Glass while driving. It is considered the first time someone
has been cited for wearing the face-mounted technology while driving.

Commissioner John Blair
threw out both charges, stating there wasn't enough evidence to prove
beyond a reasonable doubt that the Google Glass was turned on at the
time. It is only illegal to wear the device while driving if it is
operational.

… "It doesn't
necessarily answer the question everybody wanted: Is it legal to
drive down the road wearing Google Glass while it's operating?"
said William Concidine of My Traffic Guys. Concidine and his
partner, Gabriel Moore, are the traffic ticket attorneys who defended
Abadie in court on Thursday.

Amusing. I guess you
grab anything for a bit of attention when you are fund raising...
(This links to the AMA session)

I believe that Edward
Snowden has done more to support and defend the Constitution—in
particular, the First and Fourth Amendments—than any member of
Congress or any other employee or official of the Executive branch,
up to the president: every one of whom took that same oath, which
many of them have violated.

The percentage of
adults who read an e-book in the past year has risen to 28%, up from
23% at the end of 2012. At the same time, about seven in ten
Americans reported reading a book in print, up four percentage points
after a slight dip in 2012, and 14% of adults listened to an
audiobook.

Though e-books are
rising in popularity, print remains the foundation of Americans’
reading habits. Most people who read e-books also read print books,
and just 4% of readers are “e-book only.”

Yale
students made a better version of their course catalogue. Then Yale
shut it down.

A pair of Yale students
and brothers, Peter Xu and Harry Yu, built a site that let students
plan out their schedules while comparing class evaluations and
teacher ratings for the past three semesters. Thousands of Yale
students used it, apparently finding it a better resource than
similar sites run by the university. But this week, as the "shopping
period" where students are able to try out classes and finalize
their schedules began, Yale not only blocked the Web site from campus
networks, labeling it "malicious," but forced the brothers
to take it down or face disciplinary action.

For my Students. The
only concern I have is that $2.99 is $2.99 too much. But then, I
didn't spend $300-$500 for an iPad.

A Naked Security reader
just emailed us to say, "I received a message from Target about
the
breach. It talks about customers, and people who shopped at the
company's stores, and names me in the breach. But I've never
acutally shopped at Target."

The concerned reader
also pointed out that the statement was published
on Target's website back on 13 January 2014, but the email she
received only arrived on 16 January 2014.

… It certainly
seems, from our reader's confusion, that "guests" (who lost
details like name, address and phone number) include people who have
had something to do with Target, somewhere, somehow, but who
have never actually have bought
any products there recently, or even at all.

… Secondly, if I
were Target, I would not have said this:

Never
share information with anyone over the phone, email or text, even if
they claim to be someone you know or do business with. Instead,
ask for a call-back number.

If you don't know and
trust someone who calls you, why would you trust any phone number or
web URL they might give you?

(Related) For my
Computer Security students (and my Ethical Hackers) May be a bit too
geeky for everyone else.

Last weekend, Target
finally disclosed at least one cause of the massive data breach that
exposed personal and financial information on more than 110 million
customers: Malicious software that infected point-of-sale systems at
Target checkout counters. Today’s post includes new information
about the malware apparently used in the attack, according to two
sources with knowledge of the matter.

Neiman Marcus Group
Ltd. is being investigated by states including Connecticut and
Illinois over the theft of customer credit-card data by hackers, and
a bank sued Target Corp. for its data breach during the holiday
season.

Connecticut Attorney
General George Jepsen and Illinois Attorney General Lisa Madigan,
whose offices are already leading a multistate investigation in the
Target breach, are also looking into the hack of Dallas-based Neiman
Marcus, which said on Jan. 10 that some unauthorized purchases may
have been made with credit cards.

… Other states
involved in the Target probe include Florida, Iowa, Massachusetts and
Pennsylvania, spokespersons for those states’ attorneys general
confirmed yesterday.

Democratic U.S.
Senators Claire McCaskill of Missouri and Jay Rockefeller of West
Virginia today made public a letter they sent jointly to Target on
Jan. 10 requesting a briefing on the data breach from the retailer’s
information security officials.

… Schneiderman said
in a statement yesterday that his office’s Consumer Protection
Bureau is also looking into reports of security breaches at other
retailers and called on those companies, which weren’t identified
in the statement, to offer free consumer protections to customers.

Friedman declined in a
phone interview to name the other retailers and wouldn’t comment
when asked if Neiman Marcus is one of them.

In a disappointing
decision
yesterday (Jones v. United Kingdom), the European Court of
Human Rights upheld the immunity of states and state officials from
civil suits for torture in foreign courts. In doing so, it may have
written an obituary for one of the most heralded of all human rights
cases: the U.K. House of Lords’ 1999 Pinochet
decision, which stripped criminal immunity from Chile’s former
head of state for some of the murders and tortures committed during
his dictatorship.

Who can protect my
Ethical Hackers? Would a neutral party, with enough clout to get
anyone's attention, be able to stop this nonsense? Should they
contact the “victim” through a lawyer?

Bah. How many times
have I written that every site should have a clearly posted/dedicated
number to call or email to report security problems? Maybe if sites
took my sage advice, we wouldn’t have so many of these situations.

… In some cases, a
parent could authorize a child's in-app purchase, which was charged
to the adult's credit card, and not realize that for the next 15
minutes, further purchases could be made without parental
intervention – giving the kid a large window of time to buy plenty
of expensive stuff.

… The $32.5m
settlement will not hamstring Apple (net income last year: $37bn).
Based on the company's financial
figures for the year to October 2013, the company raked in sales
of $170.9bn. So today's refund payout is worth about 6,000 seconds
of Apple's time in terms of annual revenue, or about an hour and
forty minutes. Or 7.6 hours of annual profit.

… Researchers at the University of Michigan believe they have
calculated the optimum time for a cyber attack.

The model, from student
Rumen Iliev and political science professor Robert Axelrod, focuses
heavily on timing: Wait until the attack will cause the most
destruction, but not too long so that the vulnerability hackers are
exploiting has been fixed.

… Though presented from the perspective of the offense—the
hacker looking for the best moment to exploit a vulnerability—the
findings are equally relevant to those companies and agencies
hoping to fend off a future attack

Okay, maybe not some of
the work my Ethical Hackers do, but generally I favor “Public!”
(And links to the work on student resumes)

… School
administrators, who are rightfully risk-adverse, often immediately
say that no public posting is allowed. By decree, access to any
student work must be limited to only those approved and with
passwords.

Teachers, afraid of
potential headaches due to students saying something inappropriate,
bullying, or not having total control also get nervous about allowing
students to publish freely online.

And, I’m very mindful
of the fact that the privacy feature built into Edublogs is one of
the number one reasons why schools choose our service. My answer to
the privacy question isn’t really good for business.

But, when you
look at all the benefits that publishing to the web can bring to
student learning, the answer is most definitely yes.

No matter the age or
experience, we believe that blogs are meant to be public.

From
electronic surveillance to healthcare privacy to drones, Congress is
planning to consider a wide range of privacy legislation this year.
The Edward Snowden leaks about the National Security Agency and the
recent data breaches at retailers are likely to keep privacy and data
security on the top of many lawmakers’ agendas. After the jump is
a summary of twenty pending privacy-related bills to keep an eye on
during the remainder of the 113th Congress.

“This report provides
references to analytical reports on cybersecurity from CRS, other
government agencies, trade associations, and interest groups. The
reports and related websites are grouped under the following
cybersecurity topics:

policy overview

National Strategy
for Trusted Identities in Cyberspace (NSTIC)

cloud computing
and FedRAMP

critical
infrastructure

cybercrime, data
breaches and data security

national security,
cyber espionage, and cyberwar (including Stuxnet)

international
efforts

education/training/workforce

research and
development (R&D)

In addition, the report
lists selected cybersecurity-related websites for congressional and
government agencies, news, international organizations, and
organizations or institutions.”

… Gregory Little,
an attorney at White & Case LLP who defends companies against
class actions, said retail companies are at “significant risk” of
facing class actions as large data breaches become more common. “As
technology makes it easier to harm larger numbers of individuals,
there is greater likelihood that class actions are going to be
brought,” said Mr. Little.

… Some small banks
are also seeking damages from Target for the costs they are incurring
because of the breach. Alabama State Employees Credit Union, which
leads a class action case of affected banks, said in its complaint
that it has been “swamped by customers and its members needing to
close accounts” to prevent fraudulent activity, forcing the small
bank to spend time and money creating new cards and refunding lost
deposits.

Payment processing
firms that have been assisting retailer Target, which recently
suffered a major data breach, could face millions of dollars in fines
and costs due to the issue.

Target's partners could
face consumer lawsuits and fines that payment networks such as Visa
Inc and MasterCard Inc often levy after cyber security incidents,
Reuters has reported.

… Reuters noted
that a similar hacking in the mid-2000s at retailer TJX Companies
resulted in penalties of $880,000 (£536,000, €644,000) for Fifth
Third Bancorp of Ohio, which processed transactions for TJX.

Any electronic purchase
from a store like Target involves several companies. They include
the banks that issue credit or debit cards, the "merchant
acquirer" who handles the payment for the store when the card is
swiped and companies such as Visa and MasterCard who operate the
networks through which payment request and confirmation are sent.

(Related) Target must
calculate that with 110,000,000 records compromised, they might as
well offer monitoring to all of their 110,000,002 customers. Great
PR target.

More Target-sized
security breaches will happen if banks and retail stores don’t
start working together to further protect customers’ data, JPMorgan
Chase’s CEO Jamie Dimon said Jan. 14.

JPMorgan
has replaced 2 million credit and debit cards as a result
of the Target breach, Dimon said. That number is expected to rise.
JPMorgan is the world’s largest issuer of credit cards.

… “Target has
taken the extraordinary step to offer free credit
monitoring to all of its customers, not just those affected by the
breach. This is an opportunity Target customers may want
to take advantage of, depending on individual circumstances,”
Wasden said.

In case you missed it
earlier today, the Senate Judiciary Committee held a hearing on the
Report of the President’s Review Group on Intelligence and
Communications Technologies (the PRGICT
Report), where the Group members testified regarding their
proposed reforms and recommendations for U.S. national security
surveillance programs. If you were unable to catch the hearing
today, a full
video is available on C-SPAN (unfortunately, an embeddable
version is not yet available, but we’ll update this post
accordingly once one is up).

… In the C-SPAN video at around the 20:50 mark, Senator Leahy
asks Morell whether Americans should be concerned about Section 215,
given that only metadata is collected under the program. Here was
Morell’s response:

“I’ll
say one of the things that I learned in this process, that I came to
realize in this process, Mr. Chairman, is that there is quite a bit
of content in metadata. When you have the records of phone calls
that a particular individual made, you can learn an awful lot about
that person. And that’s one of the things that struck me. There
is not, in my mind, a sharp distinction between metadata and content.
It’s more of a continuum.”

I would never for a
second believe that France was not already doing this. Are they now
worried about appearances?

France’s
December
18, 2013 law on military spending contains two provisions that
facilitate the collection of data by the French military and
intelligence services. The first provision relates to the collection
of passenger name records (PNRs). Under the new law, airlines are
required to send PNRs to authorities in accordance with a yet to be
adopted government decree. The data may be held for up to five years
and may not contain sensitive data (i.e., data relating to the
passenger’s racial or ethnic origin, religious or philosophical
beliefs, political opinions, trade union membership, health, or
sexual orientation. The French data protection authority, the CNIL,
was consulted in connection with these new PNR provisions).

The
second and more controversial government data collection provision is
article 20 of the December 18 law that permits French
intelligence and security agencies to collect metadata from telecom
operators and hosting providers, including in real time.

One
hot area of data privacy litigation over the past several years has
been data breach class actions brought under the California
Confidentiality of Medical Information Act (“CMIA”),[1]
which provides that a person may recover $1,000 “nominal”
damages against a healthcare provider who has negligently “released”
the person’s medical information. Until recently, no California
appellate court had directly analyzed what constitutes a “release”
of medical information under the CMIA. The court in The
University of California v. Superior Court (Platter)[2]
addressed this question for the first time in 2013 and held that the
mere loss of possession of computer equipment containing medical
information was not sufficient to constitute a release of the
information itself.

Thanks for watching
that YouTube video! That will be 50 cents, please.

Sound unrealistic? It's
actually a distinct possibility, after a Federal appeals court on
Tuesday struck down an FCC ruling meant to prevent an Internet
service provider -- the company you pay for online access -- from
prioritizing some website traffic over others.

And because that rule
was wiped off the books, those ISPs are suddenly able to do just
that. With service providers suddenly able to charge
based on the type of content you watch or the sites you visit,
it's easy to imagine a system like that of today's cable television
market. Want HBO? It's an extra $5. Want our streaming video
package, with YouTube, Hulu, TV.com, and more? That's $5 too.

Don't pay and you can't
watch. Period.

… “A broadband
provider like Comcast might limit its end-user subscribers’ ability
to access The New York Times website if it wanted to spike
traffic to its own news website,” the
ruling notes.

“We don't need no
stinking jurisdiction/authorization/budget/management!” After all,
we're all chasing the same people, right?

Customs
& Border Protection recently “discovered” additional daily
flight logs that show the agency has flown its drones on behalf of
local, state and federal law enforcement agencies on 200 more
occasions more than previously released records indicated.

Last
July we reported, based on daily flight log records CBP made
available to us in response to our Freedom
of Information Act lawsuit, that CBP
logged an eight-fold increase in the drone surveillance it
conducts for other agencies. These agencies included a diverse group
of local, state, and federal law enforcement—ranging from the FBI,
ICE, the US Marshals, and the Coast Guard to the Minnesota
Bureau of Criminal Investigation, the North Dakota Bureau of
Criminal Investigation, the North Dakota Army National Guard, and the
Texas Department of Public Safety.

“Rep. Jeff Duncan
(R-SC), Chairman of the Subcommittee on Oversight and Management
Efficiency, released a…report examines the Department of Homeland
Security’s (DHS) planning process for its new headquarters and
details how taxpayer dollars have been spent on the project to date.
Originally founded in 1852 as a government-run hospital for the
mentally ill, St. Elizabeths is a national historic landmark. In
2006, the hospital was chosen as the future site of a consolidated
headquarters complex for DHS, in an effort to build cohesiveness
among Department components. The project has
received $1.3 billion in funding to date and only the U.S.
Coast Guard headquarters complex has been completed. The 26-page
report reviews the potential areas of cost growth, selection and
planning issues, and the effects of green initiatives and the site’s
historic status on construction costs, among other concerns.
Specifically, the report found that it remains unclear how active DHS
officials were in choosing the site of their future headquarters.
Furthermore, DHS has pushed final completion to
fiscal year 2026, 10 years beyond the original schedule, and delays
in construction have increased costs by 30% – about $1 billion.
The report questions why DHS has not conducted a major reassessment
nor considered a new approach to headquarters consolidation…”
The expanded use of technology has changed the paradigm of the
workspace requirements by allowing a greater emphasis on working from
home as a way to reduce square footage requirements. This allows for
more shared work spaces… With statements made by senior
leadership, the morale concerns, the $1 billion cost increase, and
slippage of the completion date to FY 2026, the Committee questions
why there has not been a major reassessment of the headquarters
consolidation project now with a ten year extension to the project’s
deadline and why DHS has not considered a new approach to
headquarters consolidation.”

[From
the report:

When it was originally
proposed and approved, the St. Elizabeths project had a price tag of
$3.45 billion; however, in the Department’s most recent update on
the project, DHS and GSA submitted cost projections of $4.5 billion
with a completion date of 2026.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.